en_GB ENfr_FR FR

DATA PRIVACY AGREEMENT (DPA)

Last modified date:

Referred to collectively as “The Parties”, or individually as “The Party”.

  1. General framework

As part of the services provided by MINDBAZ, the Parties also acknowledge that this agreement specifically applies to the SaaS service Sweego (https://www.sweego.io) offered by MINDBAZ. This service includes email and SMS routing, as well as other features related to the management of electronic communications. Therefore, the provisions regarding the protection of personal data and GDPR compliance also apply to this service.

THE CUSTOMER is the data controller and MINDBAZ is the subcontractor within the meaning of the “Information Technology and Freedom” legislation and GDPR. 

Within the framework of their contractual relations, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of 27 April 2016, applicable from 25 May 2018.

The purpose of these clauses is to define the conditions under which MINDBAZ undertakes to carry out the personal data processing operations defined below on behalf of the CUSTOMER.

  1. Processing

The CUSTOMER undertakes, when using SaaS e-mail and sms routing services, to process personal data in accordance with the requirements of laws and regulations on personal data protection. The CUSTOMER’s instructions for processing personal data must comply with the laws and regulations on the protection of personal data. The CUSTOMER is solely responsible for the accuracy, quality and legality of the personal data and the means by which the CUSTOMER has acquired the personal data.

The CUSTOMER entrusts MINDBAZ with the processing of personal data for the purposes determined between the Parties.

The purpose of the processing of personal data by MINDBAZ is the management of SaaS e-mail  and sms routing services in accordance with the contract(s) in force between the Parties.

  1. Modalities

The sole purpose of the processing is the execution of the CUSTOMER’s contracts, i.e. the management of SaaS routing solutions. The persons concerned by this processing are the CUSTOMER’s customers.

The data collected are kept for the duration of the intervention in the CUSTOMER’s files, unless otherwise required by law or regulation. At the end of this period, the personal data is deleted by MINDBAZ.

  1. Security and confidentiality

MINDBAZ undertakes to process personal data solely on behalf of the CUSTOMER and undertakes to maintain the appropriate technical and organisational measures to guarantee the security, confidentiality and integrity of the CUSTOMER’s data.

MINDBAZ shall only process personal data on the documented instruction of the CUSTOMER, including transfers of personal data to a third country or an international organization, unless it is obliged to do so under EU law or the law of the Member State to which MINDBAZ is subject; in this case, MINDBAZ shall inform the CUSTOMER of this legal obligation prior to processing, unless the law in question prohibits such information on grounds of public interest. 

MINDBAZ undertakes to inform the CUSTOMER immediately if, in its opinion, a directive constitutes a breach of this Regulation or of other provisions of Union or Member State law relating to the protection of personal data. 

MINDBAZ shall ensure that authorised persons who process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality. 

In this context, MINDBAZ will not be able to:

  • disclose, in any form, all or part of the data used;
  • copy or store, in any form and for any purpose whatsoever, all or any part of the information or data contained in the media or documents entrusted to it or collected by it during the performance of this Contract, outside the contractual framework.
  1. Technical and organisational security measures for processing

Taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks, which vary in likelihood and severity, to the rights and freedoms of natural persons, MINDBAZ undertakes to take commercially reasonable measures to ensure a level of security appropriate to the risk, including but not limited to those necessary: 

  • use of pseudonyms and encryption of personal data;
  • means to ensure the continuity of confidentiality, integrity, availability and resilience of processing systems and services; 
  • means to restore availability and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
  • a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing. Within the framework of this assessment, MINDBAZ takes into account the risks presented by the processing resulting, in particular, from the destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed, or from unauthorised access to such data, whether accidental or unlawful.

MINDBAZ undertakes to maintain these means during the execution of this contract and, in the event of failure to do so, to inform the CUSTOMER immediately.

  1. MINDBAZ Staff

MINDBAZ guarantees that its staff involved in the processing of personal data are informed of the confidential nature of personal data, have received appropriate training on their responsibilities and have signed written confidentiality agreements. MINDBAZ guarantees that these confidentiality obligations survive the termination of the staff’s contract.

MINDBAZ undertakes to take commercially reasonable measures to ensure the reliability of all its staff involved in the processing of personal data.

MINDBAZ ensures that access to personal data by its personnel is limited to personnel involved in the provision of the services in accordance with the Contract.

  1. Notification of incidents involving personal data

MINDBAZ shall notify the CUSTOMER of any incident related to personal data within a maximum period of 48 hours from the time it becomes aware of the same. Said notification shall be accompanied by all useful documentation so that the CUSTOMER can, where appropriate, notify the breach to the competent supervisory authority.

MINDBAZ will make reasonable efforts to identify the cause of this incident and will take whatever steps it deems necessary to remedy it.

MINDBAZ shall provide the CUSTOMER with assistance in communicating the information required in the context of the notification to the data controller, in accordance with the laws and regulations relating to the protection of personal data. 

This information will include:

  • the date and time of discovery of the incident;
  • the nature and extent of the incident;
  • additional information to enable the CUSTOMER to assess the personal data affected by the incident and the observed and likely consequences of the incident on the processing of personal data;
  • the measures taken or proposed by MINDBAZ to mitigate the negative effects of the incident;
  • any other information related to the incident, as reasonably requested by the CUSTOMER.
  1. Right to information of the interested parties

It is the responsibility of the CUSTOMER to provide information to the persons concerned by the processing operations at the time of data collection and to obtain their specific consent to the processing carried out by MINDBAZ for e-mailing and sms sending purposes. 

  1. Exercise of the rights of individuals

When the interested parties submit requests to MINDBAZ for the exercise of their rights, MINDBAZ shall send such requests to the CUSTOMER by e-mail once they have been received.

  1. Assistance to subcontractors

MINDBAZ undertakes, according to the means and information at its disposal, and depending on the nature of the processing, to provide the CUSTOMER with all reasonable assistance necessary to:

  • ensure compliance with personal data security obligations;
  • notify the supervisory authority of a personal data breach;
  • consult the supervisory authority in the event that an impact assessment indicates that the processing presents a high risk if the CUSTOMER does not take measures to mitigate it; 
  • communicate a personal data breach to the data subject;
  • carry out the data protection impact assessment. 

MINDBAZ shall assist the CUSTOMER in fulfilling its obligation to respond to requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to limitation of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

  1. Sub-processing

In the event that MINDBAZ should engage subcontractors for the performance of services in which personal data are processed, the Parties shall in particular ensure, within the framework of this contract, that MINDBAZ: 

  • requests prior written authorization from the CUSTOMER to hire another subcontractor; 
  • guarantees that all its subcontractors, whether employed by MINDBAZ or by one of its own subcontractors or by a subcontractor of even lower rank, commit themselves to the same level of obligation as MINDBAZ with regard to the protection of personal data.

Therefore, the sub-processor is obliged to perform the obligations of this Agreement on behalf of and according to the instructions of the CUSTOMER. MINDBAZ must ensure that the sub-processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures to ensure that the processing complies with the requirements of the European Data Protection Regulation. 

  1. Register of categories of processing activities

MINDBAZ declares that it keeps a written record of all categories of processing activities carried out on behalf of the CUSTOMER, including:

  • the names of the sub-processors and, where applicable, the data protection officer;
  • the categories of processing carried out on behalf of the CUSTOMER;
  • where applicable, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers provided for in the second subparagraph of Article 49(1) of the European Data Protection Regulation, documents demonstrating the existence of adequate safeguards;
  • as far as possible, a general description of the technical and organisational security measures, including, inter alia, as appropriate,
    • use of pseudonyms and encryption of personal data;
    • means to ensure the continuity of confidentiality, integrity, availability and resilience of processing systems and services;
    • a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.
  1. Documentation

MINDBAZ shall make available to the CUSTOMER the documentation necessary to demonstrate compliance with all its obligations and to enable audits, including inspections, to be carried out by the CUSTOMER or another auditor appointed by the CUSTOMER, as well as to contribute to such audits.

  1. Return and deletion of personal data

Depending on the CUSTOMER’s choice, MINDBAZ will either delete all personal data or return it to the CUSTOMER at the end of its business relationship; existing copies will be destroyed, unless EU law or the law of the Member State requires the retention of personal data.

  1. Test management

MINDBAZ shall provide the CUSTOMER with all the information necessary to demonstrate compliance with its obligations under this article.

This documentation shall include all elements that demonstrate that the process is carried out in accordance with an instruction from the CUSTOMER.

It is specified that this documentation will allow audits, including inspections, to be carried out by the CUSTOMER or another auditor appointed by the CUSTOMER. 

  1. Obligations of the CLIENT vis-à-vis MINDBAZ

THE CLIENT undertakes to:

  • Provide MINDBAZ with the data necessary for the fulfillment of its obligations;
  • Document in writing any instructions concerning the processing of data by MINDBAZ;
  • Guarantee, beforehand and for the entire duration of the processing, compliance with the obligations established in the European Data Protection Regulation, in particular the obtaining of consent for the processing of data by MINDBAZ with respect to its own clients, and for e-mailing and sms sending;
  • Oversee treatment, including conducting audits and inspections with MINDBAZ. 
  1. Data Protection Officer

MINDBAZ shall communicate, where appropriate, to the CUSTOMER, the name and contact details of its data protection officer if it has appointed one in accordance with article 37 of the European Data Protection Regulation.